November 2017 - Posts

Following the worst mass shooting in Texas history, the Federal Bureau of Investigation has announced in a press conference that they're unable to get into the smartphone of the shooter. The reason? Encryption.

While the brand of the smartphone was not officially revealed at the time (so as to not alert the "baddies" which one is giving the FBI difficulties), Gizmodo and others have reported that it's an iPhone. Of course, this is not the first time that the FBI and Apple have crossed paths.

There's a History There

Last year, the FBI and Apple went head-to-head in court: The FBI was looking to compel Apple to write a backdoor to its encryption (they denied this; however, the end result would have been the same). A magistrate ordered Apple to create a way to hack into the San Bernardino shooter's iPhone 5c. Apple refused. The parties involved went to a bigger court.

Things were growing into a crescendo in court when the FBI suddenly announced it didn't need Apple's help after all. They had acquired software that could hack into an iPhone 5c (but not newer models). Some critics at the time accused the FBI of backing out, not because it had found another way to get to the encrypted data, but because it looked like the case would set a precedence against the FBI's interests.

Today, we see a situation that is very similar: a mass shooting, a smartphone that's encrypted, the FBI unable to access it. But if you're looking for a repeat of last year's court drama, it probably won't happen.

With the San Bernardino case, the FBI argued that they needed to access the device to see if the shooter was linked to other terrorists; if memory serves, the FBI concluded before going to court that this was not the case. Regardless, a legal decision was sought (and dropped, as mentioned earlier).

In the more recent Texas shooting, we know it's not an act of terrorism – at least not the one the US regularly rallies against. Indeed, if one follows the news, it looks like the FBI is building its case of what happened quite readily, without the need to access the encrypted smartphone.

The usual argument for "there could be an additional threat out there, ready to pounce soon" cannot be made. It would fall upon deaf ears and so there really isn't much impetus for the FBI to make a scene like it did last year. But complain about encryption? It's been doing that any chance it can get, so it's not surprising that they're bringing it up.

Cat and Mouse Games

What is surprising, perhaps barely, is that the FBI still appears to be playing games designed to sway public opinion. According to various media outlets, Apple reached out to the FBI to offer assistance – which feels oxymoronic, the two having gone to court over that same issue – but the FBI never acknowledged it. While some insinuated that Apple did this before the FBI complained about the encrypted phone in the press conference, it was clarified that the Cupertino-based tech giant reached out afterwards, when they finally realized that an iPhone was involved.

Regardless, the offer was for naught.

Apparently, the FBI did not reach out to Apple at all. All reports suggest that the FBI did not completely stop seeking Apple's help after the duo's legal showdown last year, so it is quite surprising that the government did not seek Apple's help in one of the year's most high-profile cases.

Did the FBI do this because they thought that Apple wouldn't help? Or couldn't help? Or because they forgot about it? Or was it a measured tactic that they're using to carve more notches in their "encryption is aiding criminals" pole?

The answer, short of another legal loggerheads extravaganza, will depend on how much Konspiracy Kool-Aid you're willing to drink.

As usual, some degree of sympathy goes out to the FBI and other law-enforcement agencies. Nobody denies that encryption can and will hamstring investigations. However, the position that the FBI (and it is the FBI in particular. You don't hear a peep from the NSA or the CIA regarding encryption) has taken up is highly questionable.

If the past couple of years have shown anything, it's that ordinary citizens need more data security, not less.

The New York attorney general has announced a $700,000 settlement with Hilton Worldwide Holdings over issues related to the two data breaches that occurred in 2014 and 2015. $400,000 will go to New York. The remaining goes to Vermont which collaborated in the investigation.

Reported Breaches Late, In November 2015

Multinational corporations being hacked is old news. It happened to Yahoo, Target, Merck, Equifax, etc. – the list is endless and varied. No industry is exempt, no company is free from the internet renegades who are willing to compromise a network for financial rewards, to make political statements… or just because they're bored and they can.

When a company is fined hundreds of thousands of dollars in this day and age by the government for a data security breach, it means the victimized companies must have grievously erred somehow. In Hilton's case, they were apparently employing lax security practices and were slow with their data breach notifications.

The famed hospitality company became aware of a data breach in February 2015 (the actual hack occurred sometime between November and December 2014). Another breach was discovered in July 2015, with the intrusion occurring between April and July of the same year. The notifications were not sent out until late November. If your yardstick starts from the second breach, it's about two months after discovery; if you're measuring from the first data breach, it's nine months.

Which one to use? Common sense would dictate that it's the first. Especially considering that, while many states' data breach notification laws require a notification no later than 60 calendar days, not all states do. New York, in fact, only states that:

The disclosure must be made in the most expedient time possible and without unreasonable delay…

One could argue that 60 days was as expedient as it could get, but nine months?

In addition, it turned out that Hilton was not compliant with PCI-DSS requirements, a set of security rules meant to minimize the incident of credit card number hacks.

Have You Seen HLT's 10-K?

Seven-hundred thousand dollars is a big chunk of money. However, it's meaningless to a company like Hilton. The holding company had revenues of over $11.6 billion in 2016 with net income of $348 million. That makes $700K a cost of doing business, and a small one at that.

Look at it this way: In Hilton's case, over 360,000 credit cards were put at risk. That works out to nearly a $2 fine per credit card compromised. Their hotels' profit margins on minibar peanuts is probably higher. I imagine that management is probably more concerned about the cost of towels and robes that go missing each year.

So, the AG's proclamation that data breaches take top priority can feel a little anticlimactic based on the figures involved. But, it's not his fault. He doesn't make the law; he merely does what he can with the legal tools he's given. People have been calling for greater punitive damages against companies who appear to be less than concerned that their security is compromised (who in turn have been whining since the early 2000s that they're victims, too. For companies that do this, let's put this way: it's hard to sympathize with a drunk driver who ran over the neighbor's dog but asks for pity because his car was totaled and his ribs are broken).